LMTP and passdb deny=yes not working

Steffen Kaiser skdovecot at smail.inf.fh-brs.de
Wed Aug 27 13:20:43 UTC 2014 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Wed, 27 Aug 2014, Jogi Hofmüller wrote:
> Am 2014-08-26 16:48, schrieb Gregory Finch:
>> I don't think that LMTP/LDA use passdb. I'm pretty sure that they use
>> userdb only.
>>
>> The delivery agents just need to lookup if the recipient exists and
>> where to store the mail.
>
> OK, good point.  Now I tried to disable LMTP for one user by means of a
> special userdb that would return 'return-fail' when it finds a user.  I
> figured then LMTP would reject the message.  Not so much though ...
> this is the special userdb I am using.  The default fields are there to
> keep error messages in logs low.
>
> userdb {
>  driver = passwd-file
>  args = /etc/dovecot/deny/%s/deny-user
>  default_fields = uid=vmail gid=vmail home=/tmp/%Ln
>
>  result_success = return-fail
> }
>
> Attached you find the config I tested.

you have lots of userdb's in your config. If you use %s in the general 
ones, I would remove the special ones in the "lmtp" section at all.

Also, try this #1

userdb {
   args = /etc/dovecot/deny/%s/deny-user
   default_fields = uid=vmail gid=vmail home=/tmp/non-existant-name
   driver = passwd-file
}

That way, you get an hit for that userdb. Now return an _non-existant_ 
mail location. You get an error in the logs, but LMTP should tempfail the 
request.

===============

Try #2

If you enforce quota and tempfail the message, if the user is over quota, 
lower the user's quota to 1 byte temporarily.

===============

Try this #3

Just use one userdb:

userdb {
   args = /etc/dovecot/dovecot-ldap.conf.ext
   driver = ldap
}

Then extent your userdb query by:

(&(original query)(!(attr=%s)))

choose any attr'ibute with text, such as description, that does no harm to 
other services. Then the LMTP service should get no hit and should, IMHO, 
tempfail the delivery.

- -- 
Steffen Kaiser
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iQEVAwUBU/3bK3z1H7kL/d9rAQKTeQf9Eqqi+nfWEEMW3UZ3E3sg5ehOUrkInLWJ
8QPJ3A223+Uwul3662art4dbDJ1ybP5S+DxRW+K7mVjyIYEjMDGM6OkhTsFqURvw
wmlkBjIZNkF8VSAR2MjrtBlyVjSoQ3LsVljrPR3MnIF1U3lyAVhzdUCkwxYSPgP2
/ijFaO0xIl7/Xk4uok14dT3IeBkjvCe56nY9B0mjjW+v5jyfb3iPnINySYtsobT6
Hb4Sb7Ffwyc56HmSAcvjV5wa4MWDnRxqCYU77DWBTgOcVSIUfFN9VGRIDh8Q4yjr
9Ke8lmGGYLG9tO+H+dWGUlayQEZgATsWwh/eT/vf41bGtleuIbv3JA==
=coxQ
-----END PGP SIGNATURE-----

More information about the dovecot mailing list